Auditing user logins and logouts

From: Willeat, Todd (TWilleat@MHP.SMHS.COM)
Date: Mon Apr 05 2004 - 16:20:19 EDT

• Next message: Green, Simon: "Re: AIX 5.1 and 5.2 compatibility with newer hardware question"
• Previous message: Sajjad S Hashimi: "Sajjad S Hashimi is out of the office until 3/22/04"
• Next in thread: Green, Simon: "Re: Auditing user logins and logouts"
• Maybe reply: Green, Simon: "Re: Auditing user logins and logouts"
• Maybe reply: Willeat, Todd: "Re: Auditing user logins and logouts"
• Maybe reply: Green, Simon: "Re: Auditing user logins and logouts"
• Maybe reply: Willeat, Todd: "Re: Auditing user logins and logouts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all,

My Security Administrator wants to log all logins/logouts for our AIX boxes
to a syslog server. I have set the auditing config file as follows:

start:
        binmode = off
        streammode = on

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds

stream:
        cmds = /etc/security/audit/streamcmds

classes:
        general = USER_Login,USER_Logout,USER_Exit

users:
        root = general
        twilleat = general

However, when checking the /audit/stream.out file, I get the following entry
every few minutes:

S_PASSWD_READ root root Mon Apr 05 15:10:32 2004 OK
telnetd

S_PASSWD_READ root root Mon Apr 05 15:11:33 2004 OK
telnetd

S_PASSWD_READ root root Mon Apr 05 15:11:33 2004 OK
telnetd

S_PASSWD_READ root root Mon Apr 05 15:12:34 2004 OK
telnetd

S_PASSWD_READ root root Mon Apr 05 15:12:34 2004 OK
telnetd

Apparently this means root is reading the /etc/security/passwd file. But
nobody is logging in during these times (this is a test box). Does anyone
know how to prevent this?

Also, does anyone know if this can be set up for all users without listing
each username individually?

Thanks!

               _______________________________________
              / Todd A. Willeat \
             | UNIX / Storage Administrator |
             | Mercy Health Plans |
             | 425 South Woods Mill Road |
           _ | Chesterfield, Missouri 63017-3492 | _
          / )| (314) 214-2329 / (314) 214-8202 (fax) |( \
         / / | twilleat@mhp.mercy.net | \ \
       _( (_ | http://www.mercyhealthplans.com/ | _) )_
      (((\ \> \/->___________<-=-=-=-=->___________<-\/ </ /)))
      (\\\\ \_/ / \ \_/ ////)
       \ / \ /
        \ _/ \_ /
        / / \ \
       /___/ \___\

This e-mail contains information which (a) may be PROPRIETARY IN NATURE OR
OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the
use of the addressee (s) named above. If you are not the addressee, or the
person responsible for delivering this to the addressee (s), you are hereby
notified that reading, copying or distributing this e-mail is prohibited. If
you have received this e-mail in error, please contact the sender
immediately.

• Next message: Green, Simon: "Re: AIX 5.1 and 5.2 compatibility with newer hardware question"
• Previous message: Sajjad S Hashimi: "Sajjad S Hashimi is out of the office until 3/22/04"
• Next in thread: Green, Simon: "Re: Auditing user logins and logouts"
• Maybe reply: Green, Simon: "Re: Auditing user logins and logouts"
• Maybe reply: Willeat, Todd: "Re: Auditing user logins and logouts"
• Maybe reply: Green, Simon: "Re: Auditing user logins and logouts"
• Maybe reply: Willeat, Todd: "Re: Auditing user logins and logouts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:48 EDT